A coprocessor is a specific component designed to perform calculations particularly to offload the microprocessor to which it is coupled. It is generally driven by the microprocessor which communicates with it through registers to load calculation data, to configure it and finally to retrieve the results of the calculations and to be informed of the end of the calculations. A coprocessor generally comprises a control block comprising an interface with the data bus of the microprocessor and a state machine pacing the progress of the calculations, and a calculation unit controlled by the control block (also called “data path”).
In secured integrated circuits, such as those designed for smart cards, coprocessors are particularly used to perform cryptographic calculations, and thus handle secret keys. These coprocessors are therefore the targets of attacks aiming to discover these keys.
In recent years, the techniques of hacking secured microprocessor integrated circuits (e.g., microprocessors, microcontrollers, microprocessor memories, coprocessors, etc.) have developed considerably. The most advanced hacking methods currently involve injecting errors at determined points of an integrated circuit during the execution of so-called sensitive operations, such as authentication operations or operations of executing a cryptography algorithm for example. Such attacks by error injection, also referred to as attacks by fault injection, enable, in combination with mathematical models, the structure of a cryptography algorithm and/or the secret keys it uses to be deduced. The fault injection can be done in various ways, by introducing glitches into the supply voltage of the integrated circuit, by introducing glitches into the clock signal of the integrated circuit, by exposing the integrated circuit to radiations, etc.
Thus, the detection of error injections is considered one important measure to guarantee a high level of security to certain integrated circuits, particularly integrated circuits for smart cards.
A method for monitoring the execution of a program is already known, particularly through EP 1,161,725, which involves producing cumulative signatures that vary according to the codes-instructions that run in the instruction register of a microprocessor. Such a method enables a derailment of the program being executed, particularly due to an error injection, to be detected.
However, one type of attack against which a microprocessor integrated circuit must be protected is the injection of errors into the data supplied to a peripheral element, particularly a cryptographic coprocessor (which is generally integrated onto the same silicon chip as the microprocessor). Now, the monitoring of a derailment during the execution of a program by a microprocessor does not enable an attack on the related coprocessor to be detected, due to the fact that the latter processes each command sent by the microprocessor without interacting with the microprocessor before the end of the processing.
Techniques for detecting an attack on a coprocessor do exist. One of these techniques involves running several times the calculation to be performed corresponding to the command received, then comparing the results obtained. If these results are identical, it can be deduced that no attack has occurred. In this way, to make a successful attack, the error injection must be repeated several times, and in an identical manner in terms of its effects and temporal aspects. This technique multiplies the calculation times by the number of iterations, which is a major disadvantage. Further, if an error is highlighted in connection with the state of a state machine, the injection of a fault can result in skipping a state, and thus in masking the error.
Another technique involves providing an additional fault injection detection logic circuit. Regarding the calculation unit that has no deterministic properties since the data processed are not predictable, redundant data paths are provided and the identity of the signals in the redundant paths is compared on the fly. The detection of a difference between two redundant signals triggers the activation of an error signal. Regarding the control block which has a deterministic aspect, a signature circuit is used which calculates a signature, throughout the operation performed by the coprocessor, using certain control signals controlling the calculation unit. At the end of the calculation, the calculated signature is compared with an expected value and, if a difference is detected, revealing a fault injection, an alert signal is activated. Now, the comparison, whether performed by software or by a circuit, can be bypassed by an appropriate fault injection. This technique thus has a flaw.